Thanks guys, that's solved it. DNS was never my strong point, but it's nice to learn something new  :)

@wallabybob: Go to Services -> DHCP Server, click on the tab for the relevant VLAN interface, enable it and fill in the details. Thanks - turns out I hadn't enabled the vlan interface after assigning it, which was why I could create a DHCP server to run on it.

@jimp: The way our GUI works there probably isn't a way around that. You are telling it to deny unknown clients, but to the DHCP daemon any static mapping is in fact a known client. If you have static ARP enabled though, even if the client pulls an IP it shouldn't be able to talk to (or beyond) the firewall since it would not match the static ARP entry. It may be able to talk to other things in its subnet though because it would be up to the switch to filter that. If you really want to lock things down that much you should be locking down at layer2. Even if you cut the clients off from DHCP there is nothing stopping them from manually configuring an IP address on the other network(s) and bypassing any firewall restrictions to reach other things in that subnet without more protection at layer 2 from your switch. FYI, I was using this same scenario up until version 2.0.1. I have two physical interfaces, LAN and PHONE. I have a DHCP server enabled on both and "Deny Unknown Clients" checked on the PHONE interface. I have static mappings for both interfaces, but as of 2.0.1, a static mapping on the LAN tab allows a machine to pull an IP address from the PHONE tab pool. Perhaps I had a happy coincidence of things to make it work the way I wanted, but it was definitely working for months until I upgraded to 2.0.1 a few days ago.

God lord that was an easy fix.  My head was going in the complete wrong direction and making it more complex than it needed to be sorry to be so ignorant.  Thanks or the simple answer. Thanks, Brian

anyone?

@laurocgb: I tried editing the XML config file with sed, but the result was a invalid xml, which made the system unbootable (network interface mismatch error, with only ascii chars on the xml, no acentuation). Interface mismatch is reported on startup when the config file references an interface which isn't present in the system. That suggests to me that your editing may have messed with the interfaces section of the config file, perhaps changing an interface name or adding a new interface name. Did you keep the original config file so you could check your editing made only the intended modifications? I don't know of any plugin or script to do what you describe so if you are unwilling to use the web GUI for your configuration changes some sort of editing of the config file is the only alternative I can suggest.

if you want to see the flow with nslookup, set debug. If you wanting to actually do any real troubleshooting or understanding of what is happening with dns – the tool dig is much better suited then the very limited windows nslookup. Yes for PTR records your going to need the arpa zone.

only one range is supported, you'd have to hack the source to do that. dhcpd.conf comes from /etc/inc/services.inc IIRC.

I just wanted to let you know that I got the problem resolved. The problem ended up being a comcast issue. Once Comcast was fixed, I rebooted the pfsense and everything started working. Also, now that it is working, I looked at the routes and the DNS servers are not listed anymore.

To do not get off topic, you can ask for varnish help on this thread http://forum.pfsense.org/index.php/topic,38271.0.html

adding the entry to your host file is not the right way to do this. pfsense>services>dns forwarder Add to host overrides www      mysiteurl.com        myserverIP        (what ever for desc.) or ad to domain overrides if you wish mysiteurl.com  myserverIP  (do not enter your host names i.e. WWW) Cheers

Ok. I'm just using the pfsense box as DNS. and it does work when I set it up to (ex. printer.private) it does go to the printer page. I guess I'll just use it like this since I don't have a seperate server for WINS. Thanks for your help.

After creating a dns account, basic info to configure is username, password hostname

Found it. Pinging through opt1 any host from the ssh-console didn't work, even traffic routed through the opt1 interface didn't answer, well ping answered on client machines routet through opt1 (LAN rule) but no internet. Setting opt1 as the default gateway enabled traffic routing through opt1, but disabled it on wan. (i've read about this behavior here quite a few times) I've deleted my only NAT rule, switched "Allow default gateway switching" on and off and recreated the NAT rule (tcp-rule) exactly like it was before and now everything works, dyndns (without modifications), traffic routet through opt1 etc. I couldn't recreate this behavior… Edit: I had a layer7-filter-floating-rule which blocked opt1, don't know why... Thanks

I find the answer with this post http://forum.pfsense.org/index.php/topic,44413.0.html

So I take it pfsense is your office firewall server? So is pfsense going to be your networks dhcp server? Sure you can hand out whatever you want in dhcp for clients dns, be it pfsense box or any other dns for that matter. Your non-caching statement is a bit confusing.. If you want to be an authoritative name server for say yourdomain.tld and not do recursive that is fine, no caching would be done.  But then you say "and also able to resolve external hosts." Well if the nameserver is going to look up what I assume is public dns, then it would cache those entries.  Even if looking up say records from other specific nameservers you create NS records for, it would then still cache those look up for the length of the TTL.  This is just how dns works. I have never heard of anyone that would want to look up records from other nameservers and not cache those for the length of the TTL of what was looked up. Unbound or Tiny Dns packages would both be able to do what your after – I am becoming a real fan of unbound, and would suggest you take a look at that one.. The package has become very feature reach, and pretty much anything you can think of can be configured right from the package gui it adds into the pfsense gui. You can resolve local hosts, ie I have like 20 or so hosts in my local.lan zone -- and then it also does my networks external dns requests. how many local records are you talking about?  Do you have multiple local zones? And sure the dhcp server in pfsense can hand out how ever many dns servers IP you want to its dhcp clients.

I can't find it.  Could have sworn it was there somewhere in 1.2.3. em0 is my WAN and more dhclient.leases.em0 will do it. For some reason there's a history in there and the last one is current.

Good point. VPNs would be a huge issue with that ip range.

mystartantiphishing.com resolves to a private IP, which is why you're seeing that. Why something on your network is doing DNS lookups on that is another question. That domain is registered to Visicom Media Inc. http://software.visicommedia.com/en/ Not familiar with them, but looks like they may be a legit software provider. Maybe you have one of their apps installed on one of the machines in your network.